World News

Easter Cyberattack Will Cost British Retailer Marks & Spencer $400 Million

The ‘highly sophisticated and targeted’ hacking over the holiday weekend could take a toll of one-third of the company’s profits in 2025 and 2026.
Save
Easter Cyberattack Will Cost British Retailer Marks & Spencer $400 Million
File photo of a Marks & Spencer store on Oxford Street in London on July 11, 2021.
Andrew Moran
Updated:
0:00

British retailer Marks & Spencer said the Easter holiday cyberattack that disrupted operations could eliminate about one-third of its annual profits.

In its May 21 first-quarter earnings report, the UK retail giant projects that the incident will cost the business more than $400 million in operating profits for 2025 and 2026.

M&S plans to reduce the financial impact through cost mitigation, insurance, and trading actions.

“Over the last few weeks, we have been managing a highly sophisticated and targeted cyber-attack, which has led to a limited period of disruption,” company CEO Stuart Machin said in a statement accompanying the earnings report.

“It has been challenging, but it is a moment in time, and we are now focused on recovery, with the aim of exiting this period a much stronger business.”

The company plans to take advantage of the situation by accelerating its technological transformation plans outlined in 2024.

Related Stories
Personal Data Compromised After Cyber Attack on Legal Aid Agency
Personal Data Compromised After Cyber Attack on Legal Aid Agency
China’s Cyber Economic Warfare
China’s Cyber Economic Warfare

“In fact, we will condense the two-year plan into just six months,” Machin said.

“There is no change to our strategy and our longer-term plans to reshape M&S for growth and, if anything, the incident allows us to accelerate the pace of change as we draw a line and move on.”

Shares of M&S fell 3 percent during the May 21 trading session. The stock is down more than 8 percent in 2025.

The April cyberattack significantly harmed the company’s operations, resulting in empty store shelves and suspended online orders on its website and applications.

Hackers obtained access to the retailer through a third party. The breach was later attributed to human error.

M&S confirmed that customers’ data, such as names, addresses, dates of birth, and email addresses, were compromised. Payment details and passwords were not stolen, however. The company stated that there has been no evidence to suggest the stolen information was shared.

Cyberattacks in the UK

Other British retailers have also endured cyber incidents as of late.
On May 1, historic luxury department store Harrods said there were unauthorized attempts to access corporate systems. This prompted the company to restrict internet access at its locations, but it has not reported substantial disruptions to its operations, whether at its physical flagship store in London or its digital platform.

UK retailer Co-op, however, was not so fortunate.

As with Marks & Spencer, the cyberattack on Co-op caused delivery disruptions and empty store shelves at some locations. The hackers also stole employee and shopper data, forcing the company to halt aspects of its IT system.

“We have implemented measures to ensure that we prevent unauthorised access to our systems whilst minimising disruption for our members, customers, colleagues and partners,” the company said in a statement.
Undated file photo of Knightsbridge luxury department store Harrods in London. (PA)
Undated file photo of Knightsbridge luxury department store Harrods in London. PA

“As a result of ongoing forensic investigations, we now know that the hackers were able to access and extract data from one of our systems.”

The National Cyber Security Centre (NCSC), a British government body established to support businesses in protecting against cyber risks, said it is working with the victimized retailers.

“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public,” Richard Horne, CEO of the NCSC, said in a statement.

“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.”

Horne said these attacks should serve “as a wake-up call” to all organizations in the public and private sectors.

US Cyber Threats

The United States has not been immune to cyberattacks.

Over the past several months, several U.S. companies have confirmed they were victims of cybersecurity incidents.

In April, rental car company Hertz Global said that some of its clients’ data were stolen in a digital breach involving a vendor.

Kidney dialysis behemoth DaVita stated in April that it was hit by a ransomware attack that encrypted various network components.

The federal government also verified an information security incident.

In a notice to Congress, the U.S. Office of the Comptroller of the Currency confirmed that the regulator’s emails and email attachments “were subject to unauthorized access.”

“I have taken immediate steps to determine the full extent of the breach and to remedy the long-held organizational and structural deficiencies that contributed to this incident,” acting Comptroller of the Currency Rodney E. Hood said. “There will be full accountability for the vulnerabilities identified and any missed internal findings that led to the unauthorized access.”

The estimated annual cost of cybercrime in the United States was $452.3 billion for 2024, according to Statista. This figure is expected to surpass $1 trillion by 2027.

Reuters contributed to this report.
Andrew Moran
Andrew Moran
Author
Andrew Moran has been writing about business, economics, and finance for more than a decade. He is the author of "The War on Cash."